2022 Cyber Predictions: What's Coming & What Can We Do About It?

Chuck Markarian

Another thing if you allow. And I think we all do any type of remote access into your systems, MFA some sort of second factor. That's gotta be like table stakes. You absolutely have to have that. If you don't have that, you need to push as hard as you can with your executives to get that in place. I know it's maybe a little bit of a inconvenience, where there are ways to make it fairly and straightforward to do, but it's an absolute must. And hopefully all of us have that today, but I'm always amazed when I talk to people that don't.

William Papa

You're listening to. IAM Pulse a podcast discussing all things, identity access management from defending against cyber attacks and to enhancing our overall cybersecurity strategy. This podcast is brought to you by BIO-key international, an innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.

Kimberly Biddings

Hello everyone. And welcome to our session today on 2022 cyber predictions what's coming and what can we do about it? My name's Kimberly Biddings. I am representing BIO-key today and very about our session. It's a panel discussion that you definitely don't wanna miss. So to start with the conversation definitely wanted to tee up a little bit of where we're at from the last, let's say 12 months, or even since the start of the pandemic and truly it's, it's unprecedented in terms of the changes that we're seeing really overall, always on explosion of digital transformation and right along that we saw an explosion of cyber attacks. So some of these statistics that stand out in terms of the last 12 months or so when we take a look back is that ransomware really has taken over in terms of one of the key attack vectors that cyber criminals are using.

And so we've seen about a 40% growth since to start of the pandemic. And at this point, every 11 seconds, a business falls victim to ransomware. So if anybody wants to do the math out there and figure out exactly how many businesses during this session you can only imagine the impact that this is having globally. So huge increase in the ransomware attack. And right along with that is the cost of a or ransomware attack. In general, according to that IBM cost of a data breach report from last year, it was 4.2, 4 million is now the average cost of a breach. And it's just continuing to rise. Now, when we talked about the rapid digital transformation, right, a lot of businesses immediately had to go online into the cloud and offer different service is than they did before, especially with the pandemic. And so we're seeing about a 97% of global companies reporting that accelerated adoption of technology, especially with cloud migration and cloud adoption.

Now on the other side life hasn't really gotten any easier for it. And it security teams for any of you sitting in, in those roles. I really don't need to tell you that. But we're experiencing right, the great resignation and cyber talent shortage. Last I checked is about 3.5 million gap or job openings in terms of global need for cyber talent and even CISOs. Right? If we look at CISOs 25% have not taken time off in the last 12 months. So we're looking at burnout, low resources and just a shortage in terms of expertise, being able to combat some of these challenges in cyber risk. And then finally, we're seeing a, a increase in the regulatory requirements and what's really a compelling event right now is the cyber insurance requirements with a 20 to 50% rate increase in 2021.

And we're seeing mandates and requirements for multifactor authentication, as well as other security controls to keep your insurance or avoid things like a doubling of your premium. So today I'm really excited. This is gonna be a great session. We are looking at a little bit of the past what we've seen over the past 12 months, but then really looking into 2022, is it gonna be a lot of the same? Is it gonna be new predictions? But I'm very excited today as I'm joined by a panel of it and cybersecurity profess who really have that firsthand experience and perspective to share with all of you as to what it's like to manage these in, in real life and how they're going to adapt into the next year. So with that I would like to get started and introduce our panel. So we're gonna go around, do a brief introduction of yourselves and, and kind of give a bit about your role organization and cybersecurity experience so that our audience can get to know all of you a little bit better. So Ron, you're at the top of the list, let's start with you little introduction, a bit about Gilford Technical Community College and some of your cybersecurity experience.

Ron Horn

Sure. Well, thank you, Kimberly. Glad to be here today. Really excited about participating with this panel. I know we've got a lot of good information to get out today. So my name is Ron Horn. I'm the associate vice president and CIO for Gilford Technical Community College. We're a about the fourth largest technical at our community college in the state of North Carolina one of 58 community colleges in the state of North Carolina. We have, you know, upwards of 25,000, a few more than that students enrolled per year with a lot of traditional courses and some non-traditional that we offer to our students. So I have been in the higher education industry for a little over three years now. It's been about 13 years prior to that in healthcare where and cybersecurity has pretty much been a part of my life ever since I got in IT. I had it was part of it while I was in the military and the federal government, and just carried that on into other industries.

And so we're just focused a lot on, on the attack vectors within cyber security focused on cyber insurance as a lot of other companies are as well. Making sure that we are reducing our risk as much as possible. And I, I, we will get into this a little bit later, but we also were part, we were the victims over cyber attack and September 20 or September 13th of 2020 which is a real exciting time for our colleagues. But we'll get into that later, but once again, glad to be here and glad to be here with the rest of my colleagues.

Kimberly Biddings

Excellent. Thank you, Ron. And yes, it's. The first hand experience you've shared with me is, is eye opening as to how to go through that cyber attack experience. And so, so looking forward to sharing some of that with the attendees. Chuck you're next on the list, let's go to you a brief intro and, and kind of overview of PACCAR and cybersecurity there.

Chuck Markarian

Great, thanks Kimberly. And thanks for pulling the panel together and looking forward to it. So my name is Chuck Markarian. I am the chief information security officer for a company called PACCAR you're in the trucking industry. You know, we make Kenworth trucks, Peterbilt trucks, doff trucks, over in Europe, as well as wenches and some other things. I've been with the company about 17 years now always had a security role in the company prior to that I was with at and AT&T wireless for several years. And with Boeing commercial airplane company for several years, I've always been in the IT field about 20 plus years now in the security side of things. So my role with PACCAR is really related to the information technology and the securing of it. I do get involved with our manufacturing sites and securing of the OT environment, and I work real closely with our product development teams on ensuring that the whole ecosystem around of our vehicles is properly secured. Now as we have, you know, more of the connected type vehicles with our connected trucks, we're pulling data on and off, they become basically data centers on wheels, and we have to provide the right protection for them, especially as we look to move forward with things like autonomous and electrified vehicles. Mm-Hmm <affirmative> mm-hmm <affirmative>. There you go. So again, looking forward to the discussion. Thanks.

Kimberly Biddings

Thanks. Thanks so much. And yeah, IOT some people say the term and Chuck, I believe you live it. So <laugh>, that's an excellent perspective to bring as well. And Bruce going to you from Cedar Crest college.

Bruce Sarte

Yes. Hi, my name is Bruce Sarte and I am the director of information technology for Cedar Crest college, and we are a small liberal arts college in Allentown, Pennsylvania. We have a very heavy focus on sciences and health sciences and producing well-rounded graduates to the workforce. I have been helping to secure and create efficiencies in educational institutions and their technology for going on about 30 years now. And that includes K12 and higher educational institutions. My experience in the security field has been very focused on protecting the data that that students, parents, families, and the institutions need to keep secured and private and making sure that they don't have to worry about the security of their data no matter where they're going to school and what might occur in, in those environments. And I think that I'm sure Ron can attest to that. It's, it's a, it's a bit of a unique ask when you're in education mm-hmm <affirmative> and it's so difficult and resources are tight and you work with what you have. And I think that that is that creates a unique perspective on it.

Kimberly Biddings

Sure. And, and we do have quite a few higher education folks attending today you know, higher Ed's one of those places I've always been surprised by at how much data and diverse data types that you have to manage and, and secure with, like you said, limited resources. So Bruce, thank you. And, and we'll get more into those obviously forward and of course last but not least John please introduce yourself and say hi to everybody out there.

John Riley

Hey everybody. I'm John Riley, I'm the executive director of IT and enterprise services at KQED, which is a public media, TV and radio station in San Francisco. And, and I've been with the organization for six and a half years, and we also were hit with a major ransomware attack back in June of 2017. Mm-Hmm <affirmative> back in the golden age of ransomware, I guess <laugh> and we, we did not pay the ransom and we recovered ourselves. We did not use external vendors. So I have a lot to say about that experience mm-hmm <affirmative>, which is at the end of the day, actually been all, all positive. So

Kimberly Biddings

Yeah, yeah. We, we talked about it right. There was, I think John, before ransomware and on after ransomware <laugh> in terms of, in terms of perspective and, and John, you know, for everybody out there in case, you know, we always joke that ransomware seems to have just hit the news in 2021, 2020, but 2017, you know, it was rampant and has been for quite a long time. So fast that you bring to the table as well,

John Riley

Right after we were hit, the city of Atlanta was hit. I think it was within a month.

Kimberly Biddings

Oh yeah. Yep. I remember that case. That was right. And that's, like I said, 2017 general public wasn't as aware about it. Now I think everybody who watches the news right. Hears about it. But I even remember, I think it was Hollywood Presbyterian was 2000, Ron, you, I know 2012 I believe it was that early, if not even before, so wow bet. Yeah, it's been a, it's been a while. And so that's, that's getting into kind of the, the first topic we wanted to cover with our panel today, right. We are gonna look forward into 2022. But we did wanna look at the past 12 to 24 months because we've just seen such unprecedented changes and huge challenges as organizations are trying to tackle cybersecurity. So when each of you look back over the last 24, 12 months, wherever you wanna, you know, draw that line what were some of your biggest security concerns, challenges and, or projects. Chuck, let's start with you with this one.

Chuck Markarian

Okay. Yeah. So, you know, everybody talks about COVID and the remote workforce, and that was a bit of a challenge, but for us that wasn't too bad, we were relatively prepared for it. We're pretty locked down and restricted on what we do with PCs. So it was really just a matter of how did we address people who didn't have laptops. That part of it was a change for us. We had quickly shift, make sure we had the, all of our third factor authentication in place and then set up either virtual sessions or BDI sessions in the cloud that people could connect to and still do their work. So we shifted real quick over about a two week period and got our users up and running. So that was a challenge, but but it's been a, a big success story for it and for our security side and for the business.

Kimberly Biddings

And, and how long, sorry, Chuck, how long did it actually shut down operations? If it did at all for, for Paccar.

Chuck Markarian

It was not really much shutdown of operations for us. We kept things running pretty smoothly. Some individuals didn't have as much access maybe as they would've liked to have had, but from, and operations standpoint, things kept moving along. So really, really minor, minor business disruption. Mm-Hmm <affirmative>

Kimberly Biddings

Excellent. And then how, sorry, go ahead.

Chuck Markarian

Oh, I was gonna say, you know, some of the other things that we looked at yeah. You know, over the time third party risk is a big one for us. We're doing more stuff in the cloud and, and also third party risk in terms of regulations. We're a global company. So we have the UNECE United nations economic commission for Europe. And some of the regulations around that, that we have to deal with mm-hmm, <affirmative> specifically some things around our connected vehicles and some tight, tight security controls that we have to get implemented here in the next year on those. So that's been a big challenge for us is to really get a good handle on third party risk, supplier risk. Another thing I think, you know, and this came up too, when you look at Log4j and the, the challenges with that is, do you have the grasp on your assets, full software and hardware that you really want to have? Can you quickly respond? Do you know where those vulnerabilities are? And I think that's an area that's gonna, you know, continue to grow and develop. Everybody wants to have that CMDB type solution in place yet. It's very, very difficult to implement and manage long term. So those are some of the things for me.

Kimberly Biddings

Excellent. Excellent. And okay. Any of the other panelists having to deal with Log4j or I would assume cloud migration out there.

Ron Horn

Yeah, we were when March 13th came around that day we we moved to a remote environment within about the three days we implemented a, a collaboration tool and rolled it out within, in about three days. We were right in the middle of a semester. So couldn't have had better timing <laugh> from that perspective, but it, you know, a good thing about my team is they were all hands on deck and the folks were ready. We implemented the collaboration tool and got everybody online. Chuck mentioned it, I'm sure John and Bruce had to do the same thing, but we were throwing laptops out left and right. Trying to get 'em into people's hands who didn't have them. Right. And them to maintain or establish and maintain connectivity while they were away all the, while we were rolling out, you know, our SIM tool implementing controls done, or talked a little bit about third party vendor management, we use what's called a HECVAT and that a higher education mm-hmm <affirmative> community vendor assessment tool.

It's a, it's a whole mouthful, but we use that as a, as a measuring stick, if you will, for all of our vendors coming in to do business with the organization and try to help produce our risk that way. And over that at 24 month period, you're talking about justice, we thought well actually about the time, what was a COVID 1.5 hit or whatever <laugh> whatever version. Yeah, yeah. Whatever version it was in September, we were hit by a cyber attack. And that and we were down for a couple of days, which wasn't bad. But you know, John spoke a little bit about it earlier. We, we, as we rebuilt from Greenfield, so we started fresh we assumed everything was dirty at that point, re reimage the team reimagined over 4,000 devices, endpoints. We rebuilt the entire infrastructure or and we had some assistance from some federal agencies mm-hmm <affirmative> during that time. And so it was, it was very helpful. But John mentioned kind of mentioned it a little bit earlier. Maybe it was a blessing in disguise. You know, we learned a lot of valuable lessons at the time, but those were kind of you know, one of our, one of our biggest challenges of projects and things all while trying to do our day job. Right, right,

Kimberly Biddings

Right. Keeping this going as usual or school going as usual. Right.

Ron Horn

So that was us for, for about 24 months.

Kimberly Biddings

And, and folks out there usually ask and will ask, so paid the ransomware did not pay the, ran, pay the ransom. Okay. Did not. And then <laugh>, John's like, I didn't either. And then the 4,000 machines still blows my mind when you first told me that, what timeframe did you have to re-image all those machines?

Ron Horn

<Affirmative>, you know, I, it, everything is yesterday. We know when you're in an operational environment and business has to continue you know, we're there to serve our students and the students are, are ex expecting to be able to take classes or to be taught. I I'll just say Kim, that the whole process probably took us about five or six months. Mm-Hmm <affirmative>, you know, where we were at 90 plus percent. But we were, you know, we were imaging devices, you know, left and right while the infrastructure team was rebuilding the virtual environment mm-hmm <affirmative> and things. So, yeah, so it was just, we prioritized things. The, the, my team along with the senior leadership team, you know, I took what my team was working on and got with the rest of the senior leadership team. And we prioritized who would go first, you know, who needs to be imaged first, what applications based on, on our disaster recovery or business continuity plan, what applications need to be restored or rebuild or restored from backups. And that's just kind of how we progressed over that five or six month period.

Kimberly Biddings

Right, right. Very systematic and start knocking down the fires. And, and John, so 2017, was it any different, I mean, now we're in the, the land of ransomware, I'd assume you know, 2017 looks about the same. We were being attacked in the same methods. So how was your experience and, you know, recovering from that?

John Riley

It was we didn't, we don't have the, a user base that Ron had that Ron has. We're a company of about 500, which was plenty for, for my small team, but like Ron said, we took the opportunity to actually move our cyber security landscape to the 21st century. We, we, it was, it was the first opportunity the organization has really had. Since, you know, we were incorporated in the fifties to actually just start over and not have all of these various generations of ailing technology and software and settings mm-hmm <affirmative>. And so on, on the one hand we had engineers that were redesigning restoring our active directory was the key critical compromise piece. It was AACT vendor account. And I could go on for two hours about giving vendors, anything other than, you know, basic level access accounts.

Anyway, that was a vendor account was hacked. They went sideways, they compromised our corporate systems. So we pivoted and just redesigned everything. Assuming that the virus was still out there mm-hmm <affirmative> we were just, it turned out that a lot of our most of our employees could get their work done with internet access, because we had moved a lot of our critical services to cloud based platforms. Not all of them, but a lot of them. And so our, our approach was to just wipe laptops, put them back out there with only access to the internet as we rebuilt our enterprise side of things. Mm-Hmm <affirmative> I add the computers back to active directory did not let people connect with VPN until we had all of those internal systems hardened. We just assumed people were out there getting infected. Right. Right. And so when we were ready to bring all of those users machines back into the domain, we re-image them a second time put all of our new suite of controls, et cetera, and then rolled them back out mm-hmm <affirmative>. So, like Ron said, it was, we were probably finished, happened in June, probably largely finished in February, March with a team at the time that was only eight people. So, yeah.

Kimberly Biddings

Yeah. Still looking at the six months plus to, to get outta that situation, any highlights from the last 12 months. So like you said, compelling event to get more cyber investment. I know there's a, there's a silver lining to the dark cloud. Yeah. But how about last 12 months and any key investments just to highlight before I turn it over to Bruce?

John Riley

Absolutely. So KQED had just in 2019, we started renovations of our headquarters studio in San Francisco. So we had moved all of our operations to a temporary space downtown, including our FM broadcasting. So all that we did FM broadcasting from a new rental, temporary space downtown, then the pandemic hit right in the middle of renovation. So we had this huge construction project. Everybody went remote from a, a temporary location anyway, which actually wasn't that hard because we had been converting people to laptops for a couple of years prior. So we were actually ahead of the curve on that, but within the pandemic. So my staff had to support this new remote paradigm. We also had to get this, our corporate headquarters rebuilt, right. And out of our temporary space downtown without ever interrupting broadcast. So, you know,

Kimberly Biddings

You do have that live element, always

John Riley

Any of my panelists last 12 years to that.

Kimberly Biddings

Yeah. The, the live element of your you know, the show must go on business is, is extreme. And so Bruce any, any highlights for you for the last 12, 24 months that you wanna share as well?

Bruce Sarte

Well, I, I don't have the exciting stories to tell that John and Ron have to tell, but I have to say that, that one of the things I wanna mention before I talk a little bit about what we do is that one of the big takeaways that folks who probably have today are the timeframes that it's taking to recover for. I mean, look at Ron mm-hmm, <affirmative> who a much bigger user base than John, but even John it's months, it's not days; it's not hours. It is an extended period of time. And so security is a, is a very serious concern because we wanna prevent that. Right. Yeah. I know John was redesign, but they were rebuilding things, which was really cool. But <laugh>, I can tell you if we got hit and in a way that John or Ron was, we don't wouldn't have those opportunities to, to do the things in the way that they did them.

It would be a very different story here. Now, the upside is that we've spent a lot of time. You, you mentioned in, in the slide 12 to 24 months, we've been spending three or four years trying to put together a holistic multilayered approach to security mm-hmm <affirmative> environment that had really thought about it before. It was a everything on or everything off type of security environment for everyone. And the reality of that is that it either prevents people from doing the work they need to do. Right. or it opens the door so wide that anyone can come in and do anything they want. And so data was exposed and people didn't even know, know it, they, they had no real grasp on the potential for disaster that existed. So we spent time, we created this layered approach. I, I think that as it professionals and folks probably watching can probably identify with, is that IT had spent probably decades looking from the outside, in keep people out.

Yeah. How do we keep people out of our network? How do we keep people off of our machines, which is necessary? Mm-Hmm <affirmative> we as a community got comfortable with our typical antivirus anti malware, our anti-whatever, you wanna call it type products, our endpoint for tech products that, and they would do the job and what we're learning over over the past five, six years that ransomware has come is that it just doesn't work right? Or I'm sorry, it doesn't work for that sort of a situation. So we've put together a layered approach. We have a situation here at Cedar crest where sure. We get infections, we get things. But our systems are able to compartmentalize contain and, and restrict the, the I'm gonna call infections. We'll just call it infection for lack of a better term. And so those are the things that we've really started to get better at over the past 24 months.

And as we rolled in, I think someone, or maybe it was on the slide, mentioned the idea of cyber insurance. Mm-Hmm, <affirmative>, can't, can't get it. If you're, if you don't have certain places, certain pieces in place, or you're paying two times, three times, four times what you're paying before, if you don't have it. So we have focused on checking those boxes, making sure that those layers are in place. In addition to the things that we had been previously doing to keep that layered security approach in place from the outside, in, from the inside out. And then that middle piece that creates the gap between a bad day and a disaster. Mm-Hmm, <affirmative> a bad day for one person in disaster for the organization. So that's really been our focus for the last two years. And, and we continue to do that. That's our, it never ends let's put it that way. That's our focus moving forward. It really never ends, especially with the newer multifaceted attacks that we're seeing.

Kimberly Biddings

Right? Yeah. It, it would really doesn't right. I don't, I don't think the job is ever done. And I think one interesting concept is, is zero trust, right? Buzzword framework, however you feel about it. What I heard in terms of the attacks is that we didn't know what was dirty. Right. We didn't know where it stopped and that really has become the challenge. Is there is no perimeter or there's no, you know, how far does it go? Kind of question. It's just an assumption that it could be anywhere. And I think that's, that's really changed people's security perspective over time. So jumping into some of the, the looking forward, right. We just talked a lot about how you all have dealt with significant challenges is continued to evolve for the, the past two years or so. And so we wanted to look forward right. In terms of the, the core for the presentation and say, okay, what is it looking like now we're looking ahead for the next 12 months. Lots of the same, are we seeing things radically change? So what is your cyber security prediction or predictions for 2022? Ron, let's start with you for this one.

Ron Horn

So I was rubbing the crystal ball a lot last night and it was cloudy. That's a, it's a great question, I think just as you were talking about that, Kimberly, I was thinking about Log4j and the impact to, to the nation to the world. Right. And what, what all it can touch, or it has touched, is currently touching and continued to touch for some time now, I think we're going see a continuous barrage of attacks on systems that are more common mm-hmm <affirmative> throughout the industry, no matter. So whether you're in healthcare, manufacturing, retail, higher education you know, whatever it industry you're in the application, that's common across, you know, across all of those industries, like Log4j was, I think we're gonna see a continuation of attacks on those vectors because it's a numbers game, right.

If you, if you look at vulnerabilities for injections or things that could happen with one application, you narrow down the groups that that could affect, but if you're attacking something that is so broader has a wide spectrum of outreach your numbers greatly increase, and your chances are that you're going to infect something and get a win if you will. In the attackers case, I think we're going we're. I think we're gonna see that continue. I think the other thing, one of the other things how many are we allowed Kimberly?

Kimberly Biddings

Give you two Ron, and then just in case you steal everybody else,

Ron Horn

The second one and final one for me is I think recruitment of talented security professionals I think is going to continue to grow and diversify mm-hmm <affirmative>. I think from that perspective, I think the industry is going to look you know, where they were so rigid about certain qualifications or certifications before. I think we're gonna see some expansion there and some consideration more consideration given towards experience and current state as to what the person has been working on. So I think the talent pool competition is going to get, continue to be fierce for a while.

Kimberly Biddings

Totally agree. The, the vulnerabilities when I worked at a, a security ratings organization, we looked at patching and vulnerabilities and the cadences, I think it was something like four years as the average vulnerability, you know, basically exposure and like out there and unpatched and remains unpatched in terms of vectors. So even though we know that exist, we have solutions for them. Keeping up with that cadence is, is very, very hard. Chuck, how about you predictions for 2022? Which ones do you have out there?

Chuck Markarian

Well, yeah, I would echo everything Ron just said first off. I think the, the whole resource thing is, is going to continue to be a challenge and, you know, folks like Ron and Bruce in higher education, that's a tough one. I mean, we all know there's just not a lot of resources available there. So it's hard to get them, even for ourselves. We're a 26 billion company, but attracting, and not only attracting, but retaining resources. Mm-Hmm, <affirmative> seeing salaries that are two and three X sometimes what they're, what you're paying them. So it's hard to retain that really good talent. And I think, again, to what Ron said is looking at alternate sources for the talent, looking for skill, for experience, when I'm interviewing people, I look for people who, who are curious and who have a passion. I don't really care all that much how much security training they have, if they have a passion for it, they're interested in it.

And they're curious, we'll, we'll train 'em and develop 'em. So I look for those traits as far as other predictions, you know, I think we will continue to see ransomware attacks and we'll continue to see a rise in that mm-hmm, <affirmative> there's been some threats about government regulations and those things about paying ransom. So anytime you start to see that happen, you see a, a potential money source starting to dry up. So what's gonna happen is everybody jumps on that money source. It's hard and heavy for a period of time. So I really think that we're gonna see ransomware attacks continue to, to, to hit us hard for a while. Mm-Hmm <affirmative> I think that all of these various increasing reg regulations, like I talked about on UNECE, those are gonna make all of our jobs incredibly difficult. It's one thing to have a secure environment. It's a whole, a thing to have a compliant environment, you know, personally secure over compliant, but you have to have both in many cases. So there's a lot of challenges to get in place. And sometime those regulations that come out are sound really great on paper and theoretically are awesome, but implementing those is a challenge. And I think we're gonna see a lot of challenges with that over these next couple years. So those I'll leave it with those.

Kimberly Biddings

No, those are fantastic. And it's I, I always think of compliance regulations, like expanding and contracting, right? They, they become like really intense and then they figure out no one can implement this. So we, we contract and right now we're in that explosion mode of just regulations and, you know, even the government mandates and the latest article I read on like, how come the go government couldn't deploy MFA in six months, you know, what happened? And it's like, that's a challenging thing to do. So no, no surprise there. Bruce, how about your predictions?

Bruce Sarte

Well, I wanna, I wanna jump on the the resource bandwagon here real quick because I, I am hiring right now and I can absolutely attest to the idea that the power is in the hand of the job seeker right now. Mm-Hmm <affirmative> and I don't think that's gonna change anytime really soon. I mean, you know Ron mentioned how we're going to start seeing a more focused need for security professional specifically, we're gonna look for experience we're gonna for real hands that can get in the pie and, and fix it. But that is going to come at an ever increasing costs organization, that number isn't going down. And I, and I think Ron is also right, that we're gonna see more and more people available to do this, but, but that's not going to have the traditional effect where we see more people doing something, which means that they are now coming at a lower price tag.

It's gonna be just the opposite. Because I think that we're also gonna see compliance become more of an issue on paper where Chuck pointed out the difference between secure and compliance, right? It's not the same thing, right. To be taken you know, for, for people to take you at your word, you've got to be compliant. And so that's gonna be important and the researchers have to be there to make that happen. Mm-Hmm <affirmative> and I also think that we're gonna see the attacks become, continue to become more complex, more layered, more diverse in the way they not only come at us, but then also the damage that they do, it's not enough to, you know, the ransom is one thing, pay it, don't pay it. You know, Chuck alluded to the idea, I think that you know, as the, as money goes from one place to another, people jump on it. But it's not just gonna be about the money coming a again, I, so I think that those are some of the things that we're gonna see coming up

Kimberly Biddings

For sure. For sure. And John, last one, not least for John. I, I had you last on the other intros, but we'll, we'll put you first next one, John <laugh>.

John Riley

Okay. I would say predictions for 2022. I think we saw a large number, an increasing number of AWS outages last year for different reasons, but I think that's only gonna get worse. The Log4j situation really exposed that when you have a vulnerability with something ubiquitous like Apache, that it's, I mean, will it ever actually be resolved because that technology is pretty old and it's, and it's absolutely everywhere. So I think the day is coming the day, you know, the, when, when the cloud the big cloud compromises start happening, mm-hmm <affirmative> I think it's inevitable along these lines and what keeps me up at night. I think Ron's crystal ball is cloudy because he didn't run his software updates on it. So <laugh>, but what he up at night is social engineering, which is also is the piece that generally, I think a lot of strategy, cybersecurity strategies forget or avoid which is really, to me, the most crucial because as we get better and better at partnering our systems and, and defense and layers, right, defense and depth, mm-hmm, <affirmative> technological controls, we become harder and harder to breach people, just start showing up at your business and tricking their way onto premises or leaving infected thumb drives, or you know, spear fishing, fishing all, all kinds of tricks calling help desk with a recorded baby crying in the background in an urgent sense of, of password that people are always, this is broad strokes, but generally people are the weakest link in cybersecurity, right?

People push for convenience, cybersecurity is, is the ongoing tension between secure and convenient, right. And including myself pushed for convenience mm-hmm <affirmative> right. So I think that’s our fatal flaw and social engineering, and in some ways may actually get the keys to the kingdom faster than any other method. So mm-hmm, <affirmative>, I think, I think we'll see a, a rising awareness of social engineering and how hard it is to spot.

Kimberly Biddings

Right. Now these are, these are excellent, excellent predictions. We're gonna jump forward to the recommended advice. I will throw out my prediction, which is somewhat controversial. And I think passwords will still be here at the end of 2022. I I've been, you know, we've been talking about the end of the password and the death of the password for my whole career, which isn't that as long as everybody else on this call but like, they're just not going anywhere. And I, I think, you know, the sessions like getting rid of the password and everything for me I put that prediction out there also as a challenge to all of us that we gotta be better than this, you know, like we have to get to a point where we're just, we're not talking about getting rid of them or removing them, but we actually do it and start putting plans in place to do it.

And regardless of your organization, it's possible to do that. And you have to get the project plan in place and start working with change management, which I think is the other really hard thing to do about it. But unfortunately my prediction is that the top, you know, 100 passwords to break the top one will still be password 1, 2, 3, 4, 5. Maybe we'll get to six and seven at the end of that. But like, unfortunately I think, I think we're still gonna be talking about the same thing you know, come the end of the year. Alright, so great prediction. We're gonna turn it over to wrap things up, but you know, everybody listening out there, the predictions are great hearing. The real life stories are fantastic. But you know, what advice do you have for the audience, right. As, as everybody's listening in, it's like, okay, I've gotten all this information, we're getting attacked. Right. We always talk about those. Let's do one piece of advice each. What would be your one piece to share with folks out there when they start thinking about their cybersecurity strategy in 2022? John, I am gonna start with you this time as is promised.

John Riley

Okay. I would say regardless of the size of IT department or resources or budget, you have prioritize two things. One is removing local admin privileges for, for end users. Just broad statement, do not give end users, local admin privileges. If you have the budget and the staff, I a, I advocate for what's Microsoft calls lapse, which is the local admin password solution, which constantly changes. It's an attachment. It's a, it's like a sidecar to active directory that constantly changes intervals that you set the local admin passwords for your servers and your end users. It's great, but if nothing else just remove their admin privileges and second which is a little bit more so, and a little bit more time consuming, but would, would have saved us in 2017. Would've saved the Ukraine over the weekend. And that is an application control system, a system that flags any unknown executables that try to run or forbidden executables that have tried to run on any machine I'm presuming Windows and active directory in statement because if we had had comprehensive application control in 2017, the ransomware executable, which was called Followed2.exe would not have been able to watch. So.

Kimberly Biddings

Okay, great. And yeah, the security, I'm a security policy person, right? Like, don't start implementing until you got your policies and your people noted and down and understand them security policies should be on the application level as well. So, you know, best practice there. Also Chuck advice for the audience.

Chuck Markarian

What do you have, what John said to start?

Awesome. Another thing if you allow, and I think we all do any type of remote access into your systems, MFA some sort of second factor, that's gotta be like table stakes. You absolutely have to have that. If you don't have that, you need to push as hard as you can with your executives to get that in place. I know it's maybe a little bit of an inconvenience where there are ways make it fairly simple and straightforward to do, but it's an absolute must. And hopefully all of us have that today, but I'm always amazed when I talk to people that don't and the other thing, and this is the, the non-exciting part about security. Everybody likes the shiny tools and all the cool things that are out there. Just, just wash your hands, get good at the general hygiene, hygiene patch, your systems, patch, patch, patch, patch, patch, a vulnerability can't take advantage against something that's been patched for. So put a heavy focus on that. People ask me all the time. I say, if, if I can only do one thing, if you only allow me, one thing I could do in security is we would be the absolute best patching because that'll take away probably 95% of your, your real risk. So just those would be my two things is MFA and patching general hygiene.

Kimberly Biddings

Those are fantastic. And I, I love that they are not very futuristic. They are brass tacks, get it done you know, best practices. So those are, those are fantastic. Ron going to you,

Ron Horn

So well what John and Chuck said <laugh>,

Kimberly Biddings

We're building a whole cybersecurity strategy for the audience at this point. I know. Right.

Ron Horn

So from an administrative perspective, I'm gonna go that out and say train and educate everyone in your, in, in your path. Yeah. I don't think that you can do enough training in educating of your, you know, of your, your staff, your faculty, your other employees, your peers, whomever it is to include your leadership team. I think it's very important to get everyone involved and it's a tough sell for a lot of organizations you know, unless you've been hit. But fortunately we had started it beforehand and it still sometimes won't prevent it. You can run a program for years and you'll still have people who just love to click on links. Oh yeah. <Laugh>, that's, that's just the way to it is, but education and training is probably one. And then the second one, I think Kimberly is something that we all, most of us, probably a lot of us struggle with is is getting the attention that we need from the organization, from the leadership team.

So my second thing is, is socializing, socializing the accomplishments and what it is that the security team or your IT team is doing to the leadership team so that they can see that there's an ROI for, for the investment that they're making. We're not just ticket takers, mm-hmm <affirmative>. And so they can actually see you know, a current state of where you are or where you were in a future state of where you're going in that roadmap and keep socializing those things to the leadership team. I think those are my two things.

Kimberly Biddings

Those are fantastic. I mean, they say right. IT and security professionals are getting time with the board. They're getting time now with executives use it. And I would always, you know, I'll echo that too, where we always said like, don't speak geek, which is, you know, somewhat crass, but very true, like talk about reputational damage, revenue, impact competitors, stealing your lunch, you know I'm in marketing, we talk about what's the value to them, you know, articulate it in a way that they'll understand why it's so important. So I think that's huge. Bruce,

Ron Horn

Just one other tiny thing on that. Mm-Hmm, <affirmative> Kimberly is just showing those numbers. Yes. If you will, of the, of the amount of tax of attacks that you're getting as an organization in the tens of thousands on a daily basis is a real eyeopener for, for a lot of leadership teams.

Kimberly Biddings

Yeah. I don't think they realize how many are happening that you're blocking and if they knew they, they would be up at night too, would be my guess. Sure. And Bruce bringing us home <laugh>

Bruce Sarte

Well, I think, I think I'm gonna, you know, jumping off a little bit of what Ron was saying is that education is one of the biggest components to a secure infrastructure. Ron talked a, a little bit about testing and, and educating your people, and that is super important, but also is just as important to educate up. Right? So you educate out, but you wanna educate up as well. Ron talked about showing the number of attacks, but, and, and you said don't speak geek, right? So, and that's absolutely a key component of being able to explain those attacks, explain what they mean, and illustrate the value of the success of blocking those attacks, or even being able to distribute the information of, we actually had X number of infections this year and we mediated them, or we prevented damage, or we, those are very important components for any technology to team who actually does have someone's ear today or tomorrow, or whenever it is to be able to illustrate the value up and out at the same time.

Because when you, when you illustrate out, you build confidence in the constituency, when you illustrate up, you build confidence in those people who who can make the decisions to, to fund your project, to add resources to your team. Maybe before you have a situation where you have to spend 6, 7, 8 months re-imaging laptops and creating new infrastructure. And the second part for me is to make sure that your team has awareness. So what I mean by that is know what's going on in your infrastructure, know what's going on in your network, know what's going on outside your network, make it more than just one person or two people or a small team it's important because when we share information across disciplines, even in technology disciplines, it helps us to connect the dots better and prevent potential issues before they happen. So I think those are the two big things that I think are important that are different maybe than everyone set

Kimberly Biddings

Mm-Hmm. <Affirmative> fantastic. Fantastic. Yeah, everybody nowadays is, is, has to be aware of cyber from, you know, the person in HR to the executive, to the entire it staff. It's all of our responsibility and I think that's a, that's a great point. Right. So we're gonna wrap up to our audience, hope you enjoyed today's session. It was just tremendous to hear these firsthand perspective and advice from our panelists there will be a survey that'll pop up at the end of the webinar. That'll just ask you, what's your 20, 22 cyber prediction. So if you have different ones or you wanna share any we would love to hear them also in you to subscribe to our blog on blog.bio-key.com to check out news and hot topics. We post weekly on a lot of these subjects we've covered today, as well as additional ones. So we're gonna open it up to questions real quick. For our panelists, we did get one from a, in the audience. And the question was, are you having trouble getting cyber insurance now that you've had a breach and has your renewal skyrocketed? So that's probably for folks that experienced it firsthand or, or maybe implications otherwise. Yeah,

Ron Horn

I'll, I'll, I'll take that one first. Kimberly. So as far as having trouble, it de depends on your definition of trouble. Any, most people will do anything for a certain dollar amount as we've discovered the tough part is, is getting reinsured after a cyber attack or getting underwritten again, mm-hmm <affirmative> so that's, that will be a challenge. I will tell you from experience that, you know, our incident happened in September of 2020, and, and we went to be rewritten again last spring and the require not only in the premiums but the experiments of the insurers as far as checklists or questionnaires, probably quadrupled mm-hmm <affirmative> not only in volume, but in complexity, as far as, you know, you must have multifactor authentication, you must have privileged access management, you must have air gaps and your backups. Then the list just went on and on. So Y yes, it it, it is more challenging it can be done. But I would just talk to your peers and, and shop around and see what the requirements are. And most importantly, see what you're covered for during an incident or a cyber attack.

Chuck Markarian

Quickly Kimberly, to, regardless of whether you've had a breach or not, the questions are getting harder, they're getting more educated. And even if you haven't been breached, cyber insurance costs are going up to and three X across. So even if you haven't been in a breach, expect to pay significantly more at your next renewal.

Kimberly Biddings

Mm-Hmm <affirmative>. And I would say my other advice I'd give folks just hearing kind of the horror stories is check with procurement and know when your renewal date is. I had someone come up to me at a recent conference and procurement had held on to the renewal thinking it's just like every other year we've renewed and gave the IT director the requirements list a month before it was due. So now basically he had to scramble and implement a multifactor in less than 30 days, which I would not recommend. So that's, the other thing is, is I think typically it's been a, it on auto autopilot realize it's going to be a stricter control. When you get it any other common on cyber insurance related to attacks that either John or Bruce, have you seen it at all?

John Riley

We just I, in the this year, this calendar year, I went through the a, a new cyber insurance checklist that has gotten almost ridiculously granular and long compared to what, what we had back in 2017, which actually did cover us. Right. And a lot of the things that, that the insurance requires now has taken us years to get to and maintain. But, and I think, you know, they, they're asking for more than, I think they, most, most entities can deliver because the, they are questions about, do you have a warm site, right? Do you have, do you have a space available? That's ready in disaster? Do you have a hot site ready? Mm-Hmm <affirmative> that's got data and coffee ma you know, it's, it gets to the point where you're just like, are you, who are you kidding me? Like <laugh> but the more of those you have that you say you're compliant with, obviously your premiums are less.

Kimberly Biddings

Right, right. Yeah. It's listen, I was in cyber risk before this role and some of the biggest consumers of the data was insurance companies. And they're trying to offset that risk, you know, and there's gonna be a point when it's offset so much, it, you know, is it worth, it is, it's not a question we're addressing right now, but that's another consideration.

John Riley

Yeah, one thing I wanna say about cyber insurance policies, it is a known tactic for intruders ransomware folks to get into your network and try to find your policy. Yeah. They'll set the policy at what the limit they'll set the ransom at what the policy limit is the, could you not, is to not store your cyber security policy on your network.

Kimberly Biddings

<Laugh>, that's it. Yeah. They've actually been going into or trying to hack the actual cyber insurers. Right. And see who has the biggest payout. And let's go figure out how to get that. It is, it's a business, you know, you look at for your target market, that's it to go after. Alright, one last quick question for you all budget increase. So is your cyber in budget increasing this year or it staying the same or being reduced? Chuck, let's start with you.

Chuck Markarian

I'm not gonna, it's probably going up a little bit up a little bit, but really it's not giving me the ability to increase a lot of things. Okay. You know, they're just price increases by vendors paying more for people, that sort of thing. So, yeah, it's going up a little bit, but really pretty steady state, I would say.

Kimberly Biddings

Okay. Bruce, how about you?

Bruce Sarte

Our overall budget was cut. Now I have allocated more towards this out of what I do have than I normally do. And it, but again, going back to the idea of discussing resources, it just means I have fewer resources or less resources to do, to do other things mm-hmm <affirmative>. But that's more pandemic related. That's not really a response or not a response to the current climate of cybersecurity. It's just, it's the pandemic.

Kimberly Biddings

There's just a resource. Yeah. I know in higher ed, the enrollments have been significantly impacted for, you know you folks in, in double digit percentages. So it's, it's been painful for higher ed overall. John and Ron up, same down. How about cyber budget?

John Riley

I would say we <affirmative> since 2017, we've basically modernized EV every one of our systems across the board end user enterprise broadcast. So we we're at, at a current state, we've spent a lot of capital to get us new head headquarters. But we're also increasing connection speeds at our different locations, you know, 10 G versus 1 G. And we're doing some other initiatives around business continuity and disaster. We do live in San Francisco, so, you know,

Kimberly Biddings

Somewhat. Yeah. Okay. And Ron, how about you?

Ron Horn

Yeah, so for us we did see a pretty sizable increase in our security budget you know, around attracting, you know, and retaining talent to finish some of the implementations that we were starting during our cyber attack and to add on to those you know, where we don't have a large number of people in our shops, if you will and resources are, are spread pretty thin. And the amount of responsibilities that each of my folks have to take on is, is pretty immense. We're having to contract some services, like, so as a service mm-hmm, <affirmative> where you have vulnerability management or concierge type services, 24 7 we're having to look at at those things. So we had a, a pretty good increase this year, and that will probably continue for the next few years.

Kimberly Biddings

Okay. That makes sense. All right, everybody. Well, I just wanna send a huge, thank you to our panelists. This was a tremendous discussion, and hopefully everybody listening in, you got a lot of value from it out there. Lots coming up in 2022 you know, a lot of the same and some also new you predictions out there. So huge, thank you to each of you for joining me today. And I look forward to I'm sure, talking to folks in the future, but thank you again,